NetBSD Problem Report #53512

From www@NetBSD.org  Sat Aug 11 13:50:10 2018
Return-Path: <www@NetBSD.org>
Received: from mail.netbsd.org (mail.netbsd.org [199.233.217.200])
	(using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits))
	(Client CN "mail.NetBSD.org", Issuer "mail.NetBSD.org CA" (not verified))
	by mollari.NetBSD.org (Postfix) with ESMTPS id 432967A19B
	for <gnats-bugs@gnats.NetBSD.org>; Sat, 11 Aug 2018 13:50:10 +0000 (UTC)
Message-Id: <20180811135008.CA1147A1D7@mollari.NetBSD.org>
Date: Sat, 11 Aug 2018 13:50:08 +0000 (UTC)
From: venture37@geeklan.co.uk
Reply-To: venture37@geeklan.co.uk
To: gnats-bugs@NetBSD.org
Subject: A dynamically configured which has not yet obtained an address can cause npf & npfd to fail
X-Send-Pr-Version: www-1.0

>Number:         53512
>Category:       bin
>Synopsis:       A dynamically configured which has not yet obtained an address can cause npf & npfd to fail
>Confidential:   no
>Severity:       serious
>Priority:       medium
>Responsible:    maxv
>State:          closed
>Class:          sw-bug
>Submitter-Id:   net
>Arrival-Date:   Sat Aug 11 13:55:00 +0000 2018
>Closed-Date:    Tue Oct 30 13:58:55 +0000 2018
>Last-Modified:  Tue Oct 30 13:58:55 +0000 2018
>Originator:     Sevan Janiyan
>Release:        NetBSD-8
>Organization:
>Environment:
NetBSD 8.0 macppc powerpc
>Description:
A rule which calls inet4() or inet6() to obtain address of an interface fails if an address has not been obtained by the time npf have been started by rc.d. This is a problem on a system where the interface is wireless and associating takes a while. The follow-on from this is npfd failing to start with "npfd: pcap_dump_open failed for `/var/log/npflog0.pcap': /var/log/npflog0.pcap: not-yet-activated pcap_t passed to pcap_dump_open"
>How-To-Repeat:
On a system with wifi interface which connects to a WPA protected network & configured via DHCP.

create the following /etc/npf.conf
# Derived from /usr/share/examples/npf/host-npf.conf
$wifi_if = "urtwn0"
$wifi_v4 = { inet4(urtwn0) }
$wifi_v6 = { inet6(urtwn0) }

$dhcpserver = { 198.51.100.1 }

# sample udp service
$services_udp = { ntp }

# sample mixed service
$backupsrv_v4 = { 198.51.100.11 }
$backupsrv_v6 = { 2001:0DB8:404::11 }
$backup_port = { amanda }

# watching a tcpdump of npflog0, when it only logs blocks,
# can be very helpful for building the rules you actually need
procedure "log" {
     log: npflog0
}

group "wifi" on $wifi_if {
	# linklocal
	pass in  final family inet6 proto ipv6-icmp  to fe80::/10
	pass out final family inet6 proto ipv6-icmp from fe80::/10

	# administrative multicasts
	pass in  final family inet6 proto ipv6-icmp  to ff00::/10
	pass out final family inet6 proto ipv6-icmp from ff00::/10

	pass in  final family inet6 proto ipv6-icmp to $wifi_v6
	pass in  final family inet4 proto icmp      to $wifi_v4

	pass in  final family inet4 proto tcp \
		from any port bootps to $wifi_v4 port bootpc
	pass in  final family inet4 proto udp \
		from any port bootps to $wifi_v4 port bootpc

        pass in final family inet6 proto tcp flags S/SA to $wifi_v6 port ssh 

        pass in final family inet6 proto udp to $wifi_v6 port $services_udp
        pass in final family inet4 proto udp to $wifi_v4 port $services_udp

	# IPSEC
	pass in final family inet6 proto udp to $wifi_v6 port isakmp
	pass in final family inet4 proto udp to $wifi_v4 port isakmp
	pass in family inet6 proto esp all
	pass in family inet4 proto esp all

	# only SYN packets need to generate state
        pass stateful out final family inet6 proto tcp flags S/SA \
		from $wifi_v6
        pass stateful out final family inet4 proto tcp flags S/SA \
		from $wifi_v4
	# pass the other tcp packets without generating extra state
        pass out final family inet6 proto tcp from $wifi_v6
        pass out final family inet4 proto tcp from $wifi_v4

	# all other types of traffic, generate state per packet
        pass stateful out final family inet6 from $wifi_v6
        pass stateful out final family inet4 from $wifi_v4
}

group default {
	pass final on lo0 all
	block all apply "log"
}

enable npf & npfd alongside wpa_supplicant & dhcpcd in /etc/rc.conf
wpa_supplicant=YES
wpa_supplicant_flags="-i urtwn0 -c /etc/wpa_supplicant.conf"
dhcpcd=YES
dhcpcd_flags="-b"
npf=YES
npfd=YES
>Fix:

>Release-Note:

>Audit-Trail:

State-Changed-From-To: open->feedback
State-Changed-By: maxv@NetBSD.org
State-Changed-When: Mon, 03 Sep 2018 06:14:44 +0000
State-Changed-Why:
Use ifaddrs() instead of inet4()/inet6(). inetX are static, and can't work
in your case, see the latest npf.conf(5) man page. Can you try?


From: Sevan Janiyan <venture37@geeklan.co.uk>
To: gnats-bugs@NetBSD.org
Cc: 
Subject: Re: bin/53512 (A dynamically configured which has not yet obtained an
 address can cause npf & npfd to fail)
Date: Sat, 27 Oct 2018 15:40:16 +0100

 On 9/3/18 7:14 AM, maxv@NetBSD.org wrote:
 > Use ifaddrs() instead of inet4()/inet6(). inetX are static, and can't work
 > in your case, see the latest npf.conf(5) man page. Can you try?

 Thanks Maxime, that did the trick.


 Sevan

Responsible-Changed-From-To: bin-bug-people->maxv
Responsible-Changed-By: sevan@NetBSD.org
Responsible-Changed-When: Tue, 30 Oct 2018 13:58:55 +0000
Responsible-Changed-Why:
Maxime was right


State-Changed-From-To: feedback->closed
State-Changed-By: sevan@NetBSD.org
State-Changed-When: Tue, 30 Oct 2018 13:58:55 +0000
State-Changed-Why:
Using ifaddrs() resolved the issue


>Unformatted:
NetBSD Home
NetBSD PR Database Search
(Contact us) $NetBSD: query-full-pr,v 1.43 2018/01/16 07:36:43 maya Exp $
$NetBSD: gnats_config.sh,v 1.9 2014/08/02 14:16:04 spz Exp $
Copyright © 1994-2017 The NetBSD Foundation, Inc. ALL RIGHTS RESERVED.